Archive

As we discussed last week, socially engineered threats are specially crafted threats designed to lure the eye and trick the mind – they look legitimate or benign, and in worst case, may take advantage of a trusted relationship, by utilizing a compromised account or familiar website. Social engineering techniques may be used in isolation, but are often used by attackers in tandem with other types of exploit in order to perform the attacker’s real purpose – delivering the payload. What follows is a typical example that illustrates how attackers attempt to exploit both people and systems in order to achieve their goals.

Last month, Worm:Win32/Gamarue, a bot-controlled worm, was discovered as the payload of a series of browser-hijacks and traffic redirects to malicious servers hosting and performing multiple browser-based exploit attacks. The initial trigger event was identified as shared content, commented on a social networking site.

When users clicked on a link in a comment from a contact in order to see more information, they were first directed to another profile and then encouraged to click on another link.

However, this second link directed affected users to malicious content that loaded a hidden iframe (detected as Exploit:JS/BlacoleRef.D SHA1 8da25114758b2e3f454af0346ce7e716ac91c829). This iframe referenced an exploit server hosting a version of the ‘BlackHole’ exploit kit (detected as Exploit:JS/Mult.DJ SHA1 4cba7b2385b7ee7a84992ddaf77aa6d85b72b5ce). The exploit server attempted to exploit multiple known vulnerabilities in the affected user’s browser, until a successful compromise could be achieved. In our example, a malicious Java applet stored within a Java Archive (.JAR) (detected as Exploit:Java/CVE-2010-0840.FK SHA1 87800737BF703002263E3DBA680E4EE9FE9CA5B0) was observed being loaded on browsers with enabled vulnerable versions of the Java plugin. This Java vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system outside its “sandbox” environment. The final result? The installation of Worm:Win32/Gamarue.A (SHA1 427fa7d7aa1e4ee8a57516979711e11e59e51559). When it first appeared this threat did not appear to be detected by any known scanners.

Figure 1 – Method of delivery for Worm:Win32/Gamarue.A

A code fragment of this threat suggests that it may be a new bot called “Andromeda”. Similar to known bots such as Zeus and Spyeye, Andromeda is also a modularized program which can be functionally developed and supported using plug-ins. It is also sold via an underground forum, where pricing varies depending on the version of the bot, the number of domains utilized, and the purchaser’s plugin development requirement.

The elaborate methods used to distribute this threat suggest that along with being mindful of illegitimate attempts to convince you to perform particular actions, and keeping your software updated, your choice of browser really matters. Microsoft recently launched a new website YourBrowserMatters.org, which ranks your browser security from 0-4 and provides information on the risks involved in continuing to use older versions.

​This month, we added Win32/Tracur and Win32/Dursg, two of the most prevalent pieces of malware belonging to the category of ‘web redirectors’, to our Malicious Software Removal Tool (MSRT). After just over two weeks in release, we have early numbers on our success in detecting and removing these twinned threats.

In terms of functionality, Win32/Tracur is a backdoor trojan with the capability to redirect web search queries. It is worth mentioning that about 99% of Win32/Tracur samples we have seen also install Win32/Dursg.

As mentioned in our earlier post "MSRT July 2011: Targeting web redirector malware", Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also drops Win32/Dursg to install malicious extensions for Firefox and Opera. User query results from search engines such as Google, Yahoo!, AOL, Ask and Bing will be redirected to a malicious site. To guarantee Win32/Tracur control, it modifies several registry entries. To disguise its presence, dropped files are named similarly to Windows DLLs.

Figure 1: Snapshot of the infected Windows system folder

In the above figure, notice that new files such as audiosrv23.dll, dmime32.dll, and hnetmon32.exe do not usually exist in a clean system. Win32/Dursg on the other hand, installs Mozilla Firefox and Opera extensions as illustrated below to accomplish the same task.

Figure 2: Malicious Firefox extension

Figure 3: Malicious Opera extension

Win32/Dursg has been seen to be distributed with other malwares and file infectors such as Sality, Virut, Polip, Alureon, and Tracur, to name just a few, further assisting in its wide distribution. For complete information about the behavior of both malware families, please refer to our descriptions for Win32/Tracur and Win32/Dursg in the MMPC encyclopedia.

Since the release of MSRT on July 12, we have removed 516,517 Win32/Tracur threats from 242,517 computers making this malware the top threat on the list. Another 91,041 instances of Win32/Dursg were removed from 73,166 computers.

Family

Threats

Machines

Tracur

516,547

242,517

Sality

429,202

239,353

Cycbot

199,339

170,889

Alureon

125,475

94,857

FakeRean

90,926

84,798

Vobfus

90,004

82,670

Taterf

100,183

77,618

Rimecud

80,865

74,614

Dursg

91,041

73,166

Brontok

73,429

68,370

Chart: MSRT top malware families removed in July 2011

The big number of Tracur threats can be accounted to its dropped files. Tracur will drop modified copies of itself in the <system folder> using file names derived from existing Windows DLL names with an appended string “32”, such as hal32.dll, olecli3232.dll, olecli3232.exe, and authz32.dll.

Checking the origin of detections for Tracur, United States has the highest percentage of infections with 80%, followed by Japan, France, and Canada, accounting for 3% of detections each.

Figure 4: Win32/Tracur detections by country

For Dursg, United States has 56% of the detected infections, followed by Turkey, Canada, and United Kingdom.

In addition you can take the extra step to be informed about the risk of search-redirecting malware as you browse the Internet. You may want to ensure a browser add-on installation is your intention in that you don’t inadvertently install a potentially dangerous web browser add-on.

We recommend using Internet Explorer 9 (IE9) for browser security and key benefits that include helping users stay in control of their browsing experience. IE9 notifies users whenever a new add-on is installed. IE9 also helps improve browsing performance by notifying users about slow-performing add-ons and making it easy for users to disable them. We find that these features help raise security awareness as well.

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labsreported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labsreported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.

While the Internet is an amazing resource in terms of the information you can find and things you can do today, it’s important to also be smart about how you browse. A browser can be a great tool in helping you stay safe when you go online.

Most online attacks fall into one of the three situations:

1. Malware that relies on social engineering to spread

2. Attacks directed against your browser or your operating system

3. Attacks directed towards the websites you visit

Let me spend some time describing what I mean by each of these, and also how Internet Explorer can help protect you from each of these types of attacks.

Helping Protect You from Socially Engineered Attacks

A term that you may hear on occasion within the security realm is “socially engineered attacks.” What this means is an attacker uses clever techniques to get you to lower your guard and trick you into doing something that makes you vulnerable to an attack. The idea here is that they aren’t looking for weaknesses in code; rather, they’re trying to fool you into a trap.

The ways in which we see this play out are varied; it may be that you get spam – that is to say an email from a fake bank that actually takes you to a malicious site, or an email supposedly from a friend that encourages you to download a file which may contain malware. To help keep you safe from such types of attacks, Internet Explorer comes with the Smart Screen filter technology, which has been improved even more with Internet Explorer 9. SmartScreen makes it harder for someone to trick you into opening a malicious page, or con you with a phishing site. This technology checks to see if the site you’re visiting is suspected of hosting malicious code and subsequently prevents you from continuing on to that page. Internet Explorer 9 goes one step further by warning you only when you download applications that may be of higher risk.

Technologies like this can make a big difference in helping to keep you safe online. In December, NSS Labsreported that Internet Explorer offers the best protection against the spread of socially-engineered malware. As you can see in the below chart, Internet Explorer 8 (90%) and Internet Explorer 9 (99%) offer significantly more protection than other browsers.

Mitigating Attacks on Your Browser and PC

Internet Explorer also helps protect against deliberate attacks where bad code is hosted on a site that is designed to exploit weaknesses in the software on your PC. Among all the lines of code that make up software, there can be vulnerabilities. The Internet Explorer team designed its browser with security in mind, and in comparison to other browsers, Internet Explorer has fewer vulnerabilities. The chart below illustrates the number of publicly known vulnerabilities in 2010 divided by each browser, according to the National Vulnerability Database.

*Data source: National Vulnerability Database. Data is based upon the most recently shipped versions available during this time period. In the case of Chrome, versions 5, 6, 7, & 8 were all released during this time period.

At Microsoft, products are built with a secure-by-design approach, where security is designed into the product from the ground up. The result of this effort is a browser that includes specific features to help people stay secure and technologies that help insulate the browser against exploits. In addition to Microsoft’s security processes, which includes the Security Development Lifecycle, Software Security Incident Response Process (SSIRP), and monthly security bulletins, some ways in which you might see this at a product level include features such as Protected Mode, Data Execution Prevention, and many others, both in Internet Explorer 8, and the soon to be released Internet Explorer 9.

Protecting Against the Compromised Websites

This last scenario is when an attacker that has compromised a site that you visit in a way that interferes with how your browser relates to the site. This type of an attack is called a cross-site scripting attack. In this instance, an attacker gets an unsuspecting server to load special code on your browser that allows the attacker to do anything from monitoring your keystrokes to performing actions on your behalf on the site. Internet Explorer has built in a Cross-Site Script Filter that makes such attacks more difficult and helps protect you.

The upcoming release of Internet Explorer 9 contains even more features designed to help keep you safer such as ActiveX Filtering and Application Reputation. More information on how Microsoft technologies can keep you secure can be found here.